From 24e53d6889aad0be272bc8dbc102a83e7b3eec9f Mon Sep 17 00:00:00 2001 From: killa Date: Thu, 16 Jul 2026 23:35:13 +0800 Subject: [PATCH] docs: acknowledge Y4tacker security report --- SECURITY.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 92c0187f62..d9234d92d9 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -14,3 +14,11 @@ These versions are currently being supported with security updates. To report a security vulnerability, please do not open an issue, as this notifies attackers of the vulnerability. Instead, please email [fengmk2](mailto:fengmk2+eggjs-security@gmail.com) to disclose. + +## Security Acknowledgements + +We thank the following security researchers for responsibly disclosing vulnerabilities and helping make Egg.js more secure. + +| Researcher | Vulnerability | Fixes | +| ---------- | ------------- | ----- | +| Y4tacker | Command injection via `escapeShellArg` in `@eggjs/security` | [4.x](https://github.com/eggjs/security/pull/106), [3.x](https://github.com/eggjs/security/pull/107) |